f7aaaf50b8
`filter.d/exim.conf`: colon must be outside of F-RCPT group
2025-04-27 23:00:09 +02:00
52d239483d
typo
2025-04-16 17:18:36 +02:00
cbe14c70c5
iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by `iptables-ipset` etc);
...
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
2025-04-16 16:56:46 +02:00
37f72f88ef
Reverting chains to chain in order to preserve backward compatibilityu
...
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
2025-04-16 16:06:29 +02:00
139151ec81
Update iptables.conf - allow bans to be efective on multiple chains at the same time
...
This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
2025-04-16 16:06:28 +02:00
c76e90fbb1
* Merge pull request #3940 from exim-pr-mode-more
...
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
6104444bb4
improve regex (anchored from left, no catch-alls, `<ADDR>` for IP, etc)
2025-04-01 17:28:58 +02:00
cf9135983c
Update jail.conf
...
Added jail for vaultwarden
2025-04-01 20:40:15 +08:00
c7f7bc55bb
Create vaultwarden.conf
...
Filter for unsuccessful Vaultwarden authentication attempts
2025-04-01 20:36:53 +08:00
ee421dfbd6
`filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /...";
...
closes gh-3900
2025-03-28 22:52:51 +01:00
8ae6eaf39a
`filter.d/postfix.conf` - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd`;
...
closes gh-3297
2025-03-10 22:35:26 +01:00
c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
...
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
94fe9cf4a8
more fixes, capture user names, more tests...
...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
1e06ab68b4
fixed filter (new regex is unneeded), tests format of failures produced by system journal
2025-03-04 13:47:59 +01:00
13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis
2025-03-04 13:02:50 +01:00
6e3bfd800c
Added author
2025-03-04 12:26:14 +11:00
9d7646e6c0
Added author
2025-03-04 12:25:27 +11:00
fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth
2025-03-04 12:20:24 +11:00
65d473fc8e
Added regex for systemd-journal matches of vsftpd
2025-03-04 11:43:38 +11:00
c9b5e845ba
`action.d/cloudflare-token.conf`: fixes `actionunban` retrieving of CF-ID from IP:
...
force adding parameters to URL as query string (add `-G` to curl);
closes gh-3952
2025-03-01 20:19:35 +01:00
e5199aee92
action.d/ufw.conf: update comment:
...
fix syntax in example, because `dst` as command parameter doesn't have precedence over or-expression, so second `sport` would ignore `dst` and kill any connection for https regardless the IP
2025-03-01 00:23:55 +01:00
c88967df2d
`filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because:
...
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
2025-02-13 21:30:04 +01:00
882e6d5e00
`filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
2025-02-10 17:30:07 +01:00
6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
...
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
b55c20594e
`paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)
...
closes gh-3932
2025-01-30 14:00:43 +01:00
b8ab346257
Merge branch 'fail2ban:master' into patch-2
2025-01-29 19:36:54 -05:00
d2c60a168f
combine several regexes to single RE
2025-01-30 01:13:49 +01:00
e1fc569291
normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc
2025-01-30 01:13:48 +01:00
88385eb6c1
New openvpn jail.
2025-01-30 01:13:46 +01:00
155a0855f2
silence codespell
2025-01-29 21:59:35 +01:00
325613a8f8
from '[^']*' is not always present …
...
In the message from asterisk.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2025-01-28 13:09:29 -05:00
a796cc9b91
`filter.d/dropbear.conf`: failregex extended to match different format of "Exit before auth" message;
...
closes gh-3791
2024-12-27 16:43:33 +01:00
eb8b44370a
Make Dropbear regex more compatible and simpler
...
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.
Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 14:00:36 +07:00
dd9f359f5c
Fix Dropbear filter when logging to STDOUT
...
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.
As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.
The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.
Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.
Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 13:59:35 +07:00
89b5f3bb1e
`filter.d/sshd.conf`: `ddos` and `aggressive` modes, regex extended for timeout before authentication (optional connection from part);
...
closes gh-3907
2024-12-26 14:24:15 +01:00
51358e1587
Merge pull request #3636 from szepeviktor/typos
...
Fix more typos
2024-12-21 19:31:54 +01:00
91c27d0600
`filter.d/freeswitch.conf`: bypass some new info in prefix before [WARNING] (changed default `_pref_line`);
...
closes gh-3143
2024-12-04 16:56:23 +01:00
eb4731d8b1
action.d/*-ipset.conf: workaround sporadic failures by stop if destroying ipset too fast (sleep a bit in error case and repeat);
...
closes gh-3624
2024-11-07 19:28:53 +01:00
89970d2e3e
Merge pull request #1351 from AntagonistHQ/csf
...
add support for the CSF firewall
2024-09-29 10:01:58 +02:00
363c0d5fd0
nftables.conf: fixed comment (since 7f1b578af4, gh-488 actioncheck would be never invoked in regular case)
2024-09-07 13:15:45 +02:00
44bd87951e
Update apprise.conf
...
Correct typo. "as" should read "has"
2024-09-02 10:17:10 +01:00
54c0effceb
filter.d/sshd.conf: amend to #3747/#3812 (new ssh version would log with `_COMM=sshd-session`)
2024-08-11 12:10:12 +02:00
c769046a1f
Revert "`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian branch.
...
This reverts commit 6fce23e7ba
2024-08-11 11:55:39 +02:00
8e0a2366f0
Fixes unmatched tag (caused unmatched brace); review: combined to single regex, simple case without injection attempts faster, `<HOST>` replaced with `<ADDR>` (faster and fewer vulnerable on complex cases, since doesn't match text as hostname) etc.
2024-08-10 13:20:18 +02:00
35afe20ea0
Roundcube 1.4 change log format
...
From roundcube 1.4 log change format -> e92d8e31a3/program/lib/Roundcube/rcube_imap.php (L194)
2024-08-09 22:53:45 +02:00
d4663e8941
`action.d/firewallcmd-rich-*.conf`: fixed incorrect quoting, disabling port variable expansion by substitution of rich rule; closes gh-3815
2024-08-07 22:43:42 +02:00
9a558589d7
review (anchoring RE, etc)
2024-07-30 19:16:40 +02:00
db8c943a7b
Add jail to jail.conf as requested by test-suite 'More filters exists than are referenced in stock jail.conf set(['proxmox'])
2024-07-30 19:11:02 +02:00
83f2d59eee
match numbers
2024-07-30 19:05:56 +02:00
07a7da8d8e
Remove greedy catch-all before HOST
2024-07-30 19:05:55 +02:00
Sergey G. Brester